[ISN] Programmers Discover Internet Server Bug

From: mea culpa (jerichoat_private)
Date: Sun Jun 28 1998 - 00:37:53 PDT

  • Next message: mea culpa: "[ISN] Australia: EFA Calls for Abolition of Crypto Controls"

    Forwarded From: Aleph One <aleph1at_private>
    
    http://www.sddt.com/files/library/98/06/25/tbc.html
    
                  Source Programmers Discover Internet Server Bug
                                          
                          Daily Transcript Business Report
                                          
                                   June 25, 1998
                                          
        Programmers at San Diego Source, the online news service of the San
       Diego Daily Transcript, have discovered a security hole affecting Web
         server software from both Netscape Communications and software and
                       book publisher O'Reilly & Associates.
                                          
       The bug, allowing for the display of sensitive programming code being
        served by Windows NT and Windows 95 versions of Netscape Enterprise
          and O'Reilly & Associates' WebSite Professional, can be used by
            hackers to glean information considered by programmers to be
        invisible. The bug could allow for easy display of private documents
        featuring database passwords, user names and even programming codes
            that make events occur but are not meant for public perusal.
                                          
        So far the flaw has been shown to affect only machines running under
         the Windows operating system, but it is not clear if these are the
                       only two Web server programs affected.
                                          
         Netscape Communications, which was notified about the bug via its
       Developer Forum on Friday, has been working with the Daily Transcript
         and is investigating the issue. On Tuesday, when it was discovered
        that WebSite Professional also was vulnerable, O'Reilly & Associates
                                was alerted as well.
                                          
          Before either company had confirmed the bug's existence, Source
          programmers were able to view unprocessed server-side scripts on
        dozens of Web sites, including a server at Berkeley and www.osa.com,
                      which belongs to O'Reilly & Associates.
                                          
           Because publishing specific details about the bug would leave
       countless Web sites vulnerable, the Daily Transcript has agreed not to
         describe exactly how the bug works until both companies have had a
        chance to issue a patch. The bug, however, is similar to a Microsoft
        Internet Information Server glitch that surfaced last year and since
                                  has been patched
                                          
       "With that bug, you could tack a period to the end of a file name and
       get the same results that we're seeing here," said Leland Baker, an NT
       administrator and programmer at the Transcript who found the new bug.
         "This was a problem because hackers could look at the contents of
        unprocessed active server pages, which can contain Perl and VBScript
                            with sensitive information."
                                          
       Microsoft scrambled to patch that glitch after CNET published details
       on how to exploit it. The patch was successful, and Microsoft's IIS is
        not vulnerable to the new bug. But a quick visit to a site running a
          third-party program processing active server pages (ASPs) under
           Netscape Enterprise revealed that, once again, the unprocessed
          contents of ASPs can be viewed, so Microsoft's latest patch only
                      protects applications running under IIS.
                                          
            Bob Denny, lead developer for O'Reilly & Associates' WebSite
       Professional project, said the new bug stems from the fact that users
          can pass a file name containing extra characters to the NT/95/98
       operating system. Windows will accept the file name and open a file by
            the same name, except with the trailing characters removed.
                                          
        "We consider this a serious security problem," Denny said. "The 2.3
       release of WebSite Pro is scheduled imminently (within days). We have
          already implemented a fix for this problem, and the fix will be
                  available to our customers in the 2.3 version."
                                          
       "The bug is dangerous because it doesn't take a hacker to exploit it,"
        said Joseph Schmitt II, a system administrator for San Diego Source
       who helped identify the new glitch. "When virtually any user can visit
       your site and view the source code for an application, which sometimes
         includes vital system information, there's a real security threat.
       This bug may well affect the security of any file accessible via a URL
                          address, compiled or otherwise."
                                          
          Jim Obsitnik, Netscape's Enterprise Server product manager, said
        engineers at Netscape also were able to confirm the bug's existence,
             and he indicated a patch would be issued early next week.
                                          
       "We've taken a look at it. The bug is a new one, and we're looking for
                    the best way to get it out." Obsitnik said.
                                          
            The fix will also be included with the next point release of
                       Enterprise, due to ship in September.
                                          
         Obsitnik indicated that the bug could leave any server-side script
        vulnerable, including some compiled and uncompiled executable files.
                                          
           Server-side scripts are a sort of hybrid programming language,
          combining standard HTML tags with tags developed by third-party
         vendors to allow for dynamic content in Web pages. These scripts,
          processed by a program residing on the server rather than by the
       client's browser, commonly are used to integrate the contents of large
          databases with Web pages. The end user sees only the information
            requested, usually based on their input into a search page.
                                          
       Allaire Cold Fusion, a popular and powerful database integration tool,
                                is one such program.
                                          
         "The bug not only exposes the inner workings of a developer's own
         applications," said Ben Forta, long-time Cold Fusion developer and
       Allaire's product spokesman. "It could also expose highly confidential
             data like network and database login names and passwords."
                                          
        If hackers can view this information, it may be possible for them to
                             alter or even delete data.
                                          
        While helping Netscape pinpoint which sites were affected, Baker and
          Schmitt discovered that servers running Web Site Professional, a
          popular Web server package from O'Reilly & Associates, also were
                                    vulnerable.
                                          
         "I viewed the source of one of their Cold Fusion scripts and then
       e-mailed it to them," Baker said. "The guy I initially talked to there
                                was very concerned."
                                          
            The bug is especially important to developers because entire
          applications -- even entire sites -- are built using Cold Fusion
                          markup language (CFML) and ASP.
                                          
          Cold Fusion ships with a program to encrypt CFML pages, but the
        utility introduces a sometimes difficult layer to the administration
                                      process.
                                          
       "A lot of times, developers will encrypt a Cold Fusion application if
         they sell it so that the source code can't be reused or modified,"
       Baker said. "But encrypting an entire site can be difficult to manage.
       Any bug fixes or modifications would have to be made to an unencrypted
       file, moved and re-encrypted. When you're dealing with a large number
        of files, this can seem like a tedious process until you get used to
                                        it."
                                          
        San Diego Source, at www.sddt.com, features numerous databases using
       CFML to provide information on commercial leases, home purchases, the
       San Diego Stock Exchange and more. Since discovering the bug, however,
         San Diego Source has taken these extra steps to encrypt every CFML
           script on the site to protect the integrity of the databases.
         _________________________________________________________________
                                          
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:14 PDT